Kernel/linux-next
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git synced 2025-01-01 10:42:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1e562deace
linux-next/security/integrity/ima
History
Lukas Wunner 1e562deace crypto: rsassa-pkcs1 - Migrate to sig_alg backend 
A sig_alg backend has just been introduced with the intent of moving all
asymmetric sign/verify algorithms to it one by one.

Migrate the sign/verify operations from rsa-pkcs1pad.c to a separate
rsassa-pkcs1.c which uses the new backend.

Consequently there are now two templates which build on the "rsa"
akcipher_alg:

* The existing "pkcs1pad" template, which is instantiated as an
  akcipher_instance and retains the encrypt/decrypt operations of
  RSAES-PKCS1-v1_5 (RFC 8017 sec 7.2).

* The new "pkcs1" template, which is instantiated as a sig_instance
  and contains the sign/verify operations of RSASSA-PKCS1-v1_5
  (RFC 8017 sec 8.2).

In a separate step, rsa-pkcs1pad.c could optionally be renamed to
rsaes-pkcs1.c for clarity.  Additional "oaep" and "pss" templates
could be added for RSAES-OAEP and RSASSA-PSS.

Note that it's currently allowed to allocate a "pkcs1pad(rsa)" transform
without specifying a hash algorithm.  That makes sense if the transform
is only used for encrypt/decrypt and continues to be supported.  But for
sign/verify, such transforms previously did not insert the Full Hash
Prefix into the padding.  The resulting message encoding was incompliant
with EMSA-PKCS1-v1_5 (RFC 8017 sec 9.2) and therefore nonsensical.

From here on in, it is no longer allowed to allocate a transform without
specifying a hash algorithm if the transform is used for sign/verify
operations.  This simplifies the code because the insertion of the Full
Hash Prefix is no longer optional, so various "if (digest_info)" clauses
can be removed.

There has been a previous attempt to forbid transform allocation without
specifying a hash algorithm, namely by commit c0d20d22e0 ("crypto:
rsa-pkcs1pad - Require hash to be present").  It had to be rolled back
with commit b3a8c8a5eb ("crypto: rsa-pkcs1pad: Allow hash to be
optional [ver #2]"), presumably because it broke allocation of a
transform which was solely used for encrypt/decrypt, not sign/verify.
Avoid such breakage by allowing transform allocation for encrypt/decrypt
with and without specifying a hash algorithm (and simply ignoring the
hash algorithm in the former case).

So again, specifying a hash algorithm is now mandatory for sign/verify,
but optional and ignored for encrypt/decrypt.

The new sig_alg API uses kernel buffers instead of sglists, which
avoids the overhead of copying signature and digest from sglists back
into kernel buffers.  rsassa-pkcs1.c is thus simplified quite a bit.

sig_alg is always synchronous, whereas the underlying "rsa" akcipher_alg
may be asynchronous.  So await the result of the akcipher_alg, similar
to crypto_akcipher_sync_{en,de}crypt().

As part of the migration, rename "rsa_digest_info" to "hash_prefix" to
adhere to the spec language in RFC 9580.  Otherwise keep the code
unmodified wherever possible to ease reviewing and bisecting.  Leave
several simplification and hardening opportunities to separate commits.

rsassa-pkcs1.c uses modern __free() syntax for allocation of buffers
which need to be freed by kfree_sensitive(), hence a DEFINE_FREE()
clause for kfree_sensitive() is introduced herein as a byproduct.

Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2024-10-05 13:22:04 +08:00
..
ima_api.c ima: Move file-change detection variables into new structure 2024-04-09 17:14:57 -04:00
ima_appraise.c integrity: Avoid -Wflex-array-member-not-at-end warnings 2024-04-08 07:55:48 -04:00
ima_asymmetric_keys.c fs: port xattr to mnt_idmap 2023-01-19 09:24:28 +01:00
ima_crypto.c ima: add crypto agility support for template-hash algorithm 2024-04-12 09:59:04 -04:00
ima_efi.c ima: require signed IMA policy when UEFI secure boot is enabled 2023-08-01 08:18:11 -04:00
ima_fs.c ima: fix wrong zero-assignment during securityfs dentry remove 2024-06-03 16:37:22 -04:00
ima_iint.c lsm: add the inode_free_security_rcu() LSM implementation hook 2024-08-12 15:35:04 -04:00
ima_init.c integrity: Avoid -Wflex-array-member-not-at-end warnings 2024-04-08 07:55:48 -04:00
ima_kexec.c ima: add crypto agility support for template-hash algorithm 2024-04-12 09:59:04 -04:00
ima_main.c crypto: rsassa-pkcs1 - Migrate to sig_alg backend 2024-10-05 13:22:04 +08:00
ima_modsig.c ima: Add __counted_by for struct modsig and use struct_size() 2023-10-20 10:52:41 -07:00
ima_mok.c IMA: remove -Wmissing-prototypes warning 2021-07-23 08:05:06 -04:00
ima_policy.c ima: Avoid blocking in RCU read-side critical section 2024-06-13 14:26:50 -04:00
ima_queue_keys.c fs: port xattr to mnt_idmap 2023-01-19 09:24:28 +01:00
ima_queue.c IMA: support for duplicate measurement records 2021-06-11 12:54:13 -04:00
ima_template_lib.c integrity: Avoid -Wflex-array-member-not-at-end warnings 2024-04-08 07:55:48 -04:00
ima_template_lib.h ima: define a new template field named 'd-ngv2' and templates 2022-05-05 11:49:13 -04:00
ima_template.c ima: Fix misuse of dereference of pointer in template_desc_init_fields() 2022-11-16 11:47:55 -05:00
ima.h lsm: add the inode_free_security_rcu() LSM implementation hook 2024-08-12 15:35:04 -04:00
Kconfig ima: Move to LSM infrastructure 2024-02-15 23:43:46 -05:00
Makefile ima: Make it independent from 'integrity' LSM 2024-02-15 23:43:47 -05:00